| Description | This article describes how to fix an issue where Application Name SSL blocks a website due to 'cert-probe-failure'. |
| Scope | FortiGate. |
| Solution |
Beginning with FortiOS versions 7.2.11, 7.4.5, and 7.6.1, the cert-probe-failure setting now affects both flow-based and proxy-based inspection. In earlier releases (v7.2.10, v7.4.4, v7.6.0, and prior), flow-based inspection always behaved as if cert-probe-failure was set to allow, and this could not be changed. With the newer versions, the behavior is configurable, and the default is set to block.
The forward logs will show that the site is blocked by UTM: specifically, the Application Name SSL.
In this example, an examination of Log & Report -> Security Events -> SSL revealed that the site is being blocked because of a certificate-probe-fail.
As the default 'certification-inspection' profile is read-only, as a workaround, create a new ssl-ssh-profile:
config firewall ssl-ssh-profile edit "new-profile" config <protocol name> set cert-probe-failure allow <-- Set it to allow (default action = block). end end
Refer to this new ssl-ssh-profile in the firewall policy that allows outbound traffic.
Certificate probe traffic might need extra parameters to successfully reach the target server. You can manage certificate probe traffic using the following options:
config ips global config tls-active-probe set interface-selection-method <auto|sdwan|specify> end end
Note: Starting from FortiOS v7.6.0, the default action for 'cert-probe-failure' is set to allow. Related articles: |
